Financial crime prevention: 2023 paves the way for a busy 2024

This article was written for Financial Regulation International.

We've been providing end of year regulatory round ups for quite a few years now, and it would be safe to say there's never been a quiet year. But 2023 may just have surpassed all others! We've seen two important laws come onto the statute book, setting new requirements and giving new powers to regulators, which set the foundations for 2024 implementation. We've seen the usual enforcement actions – in fact, all but one of the fines FCA has imposed on regulated firms have been for financial crime failings – and we've had a clear message from FCA that financial crime prevention is one of its super-charged priorities for the next year.

So, what's been going on? Emma Radmore looks at 2023's main developments and what UK businesses need to prepare for in 2024.

APP Fraud: the mandatory reimbursement requirement

2024 will finally place an obligation on payment services providers to reimburse eligible customers for amounts they have lost in authorised push payment (APP) frauds. Typically under these frauds, the victim is tricked into making payment for something that never existed, is deceived as to the reason for the payment or intends to pay someone, but not the person who actually receives the funds. £485 million was lost to this type of scam in 2022, and the figures for 2023 will at least match last year's amount.

The Payment Systems Regulator (PSR) has become increasingly frustrated at its lack of official power to take action to help defrauded consumers. Now, under the Financial Services and Markets Act 2023 (FSMA 2023), it finally has those powers. It has spent much of 2023 consulting on how the mandatory reimbursement requirement will work, and has managed to finalised the package before the end of the year. The requirement is to take effect from 7 October 2024 – around six months later than PSR ideally wanted.

The requirement will protect not only consumers, but also micro-businesses and small charities. Initially, it can cover only payments made through the Faster Payments system, but the Bank of England is keen to extend it to CHAPS payments also. Customers will be protected where they are victims of APP scams within the UK, so long as they have acted appropriately. What "acting appropriately" means will be decided in line with a "standard of caution" which PSR has introduced. This is based on whether a customer wilfully ignores one or more warnings or requirements and sets a very high bar, so that only customers who have been grossly negligent will fail to meet it. And firms will always have to consider whether the customer is vulnerable – and if they are, this standard of caution can't be used against them.

Payment services providers will have to reimburse all eligible claims within five working days, with the cost split equally between the paying and the receiving payment provider. Firms will be able to set an excess, but not of more than £100, and the maximum amount reimbursable will be set at the Financial Ombudsman Service claim limit (£415.000), which will catch 98% of APP frauds.

So, although the largest banking groups have been participating in the voluntary Contingent Reimbursement Model code for some years now, and some firms have already put in place individual policies, this means a lot of work in the early part of 2024 for payment services providers to be sure they are ready for the deadline.

A new corporate criminal offence: failure to prevent fraud

Another long-awaited law that came onto the statute books in 2023 is the Economic Crime and Corporate Transparency Act 2023 (ECCTA), which includes a new corporate criminal offence of "failure to prevent fraud". Unfortunately, political wrangling has meant the offence will apply only to the largest organisations (less than 1% only of all businesses in the UK). For those entities, it will be an offence if anyone associated with that entity ("associated" meaning employees of the entity or its subsidiaries, agents or anyone else performing services for the entity or on its behalf) commits a "fraud offence" intending to benefit the organisation or anyone it provides services to on behalf of the organisation. A "fraud offence" is not only offences under the Fraud Act 2006 but also other named offences such as false accounting and fraudulent trading. There won’t be an offence if the organisation itself was intended to be the victim of the fraud, and the organisation will have a defence if it had in place reasonable prevention procedures (or it was reasonable for it not to have any).

So in many ways the offence works in the same way as the Bribery Act's "failure to prevent" offence – which is why most of the House of Lords and a significant number of the House of Commons could not understand the Government's logic in applying this offence only to the largest entities, while the Bribery Act offence applies to all businesses – and SMEs suffer the most frauds by far, so it seemed strange for the Government to deprive them of the "reasonable procedures" defence. The House of Lords made several compromise suggestions from its original position that all entities should be included, but eventually conceded to the Government's position so as not to put the entire Act in jeopardy.

The Government's position was that it would be too costly and disproportionate for anyone other than large businesses to comply with the requirement and that it "simply was not needed" for smaller businesses.

There is no set date for this new offence to take effect, and the Government has to publish its guidance on "reasonable procedures" before this can happen, but we expect this to be sooner rather than later.

There are powers in the ECCTA for a review of both what underlying offences should be covered (so, for example, to extend it to failure to prevent money laundering or other economic crimes), and what entities are covered (so there is a mechanism for extending coverage to smaller entities).

A related measure in the ECCTA, which will be in force in time for 2024 (it takes effect on 26 December 2023), is a replacement for the unpopular "identification" doctrine that is used to decide when a company commits an offence. For a defined range of economic crime offences only, a corporate will commit that offence if it is committed with the consent, connivance or neglect of a senior manager – which in turn will be the Chief Executive or Chief Financial Officer of the company, and also any other person who has significant decision making or management responsibility in relation to the relevant part of the business. This is a start in addressing another concern of SMEs – which is that because they have small boards, it is easy to impute corporate liability because of the actions of directors. Historically it has been hard to do this with larger entities because the legal test has been whether the "directing mind and will" of the company was to blame – and this woolly concept is hard both to define and prove. That said, the Serious Fraud Office has already noted that it expects to need to litigate on what "senior manager" means in this new law.

Crypto: regulatory creep with more to come

Late 2023 saw a lot of regulatory activity in the crypto-space. FSMA 2023 enabled Treasury and the Financial Conduct Authority (FCA) to bring ads relating to crypto-assets within the scope of the financial promotion restriction. This means that it is a criminal offence to make a promotion for crypto products or services to a person in the UK unless:

• The promotion is made by a person who is authorised under the Financial Services and Markets Act 2000 (an authorised person)
• The promotion is made by a person who is registered with the FCA for the purposes of anti-money laundering (AML) compliance, but only where the promotion is about its own products and services
• The promotion is approved by an authorised person, or
• The promotion falls within an exemption to the financial promotion restriction (of which there are very few that would be useful in this context – particularly if the promotion targets consumers).

This restriction took effect on 8 October 2023, and by the next working day, FCA had already issued nearly 150 warnings to firms who had put out promotions in breach of the restriction. It continues to take action to name and shame firms. In practice, also, there will be very limited appetite for approving other people's promotions, since FCA has set exacting standards for approving firms to comply with – and, from February 2024 all authorised firms wanting to approve promotions for others will need specific FCA permission to do so.

2024 and onwards will also see the start of FSMA-style regulation of crypto-providers, starting with regulation of activities related to stablecoins (that is, crypto products used for payment and backed with real (fiat) currency. We are expecting draft legislation in early 2024, with draft legislation on wider crypto-regulation later in the year. And, given the extremely low success rate of firms who have applied for registration with FCA for AML purposes, those that will now need authorisation should already know that meeting FCA's expectations will be a difficult task.

Firms behaving badly: Enforcement actions and reviews with threats

In recent years, FCA has been focussing on how it can avoid the need to take enforcement action against firms, by instilling good practice in them, and taking supervisory action before things have gone too wrong. But, where it needs to, it will use its regulatory teeth to discipline firms. In 2023, FCA imposed fines totalling over £30 million on 5 firms for breaches relating to financial crime. Most of the failings have common themes that show that the firms in question (which are not only banks) have not appreciated the importance of both business-wide and customer-specific risk assessments. As a result, they have failed to put in place the right policies, systems and controls, and have failed to carry out the right levels of due diligence on their customers and the business they do. FCA punishes these failings, with both restrictions on taking on new business and fines, regardless of whether any actual financial crime has resulted.

FCA has also made it clear in its thematic reviews over 2023 that there are poor practices within some firms that cause concern about their compliance with financial crime prevention requirements. For example, there have been reviews on systems and controls for compliance with sanctions restrictions, and targeted speeches clearly setting out its expectations. And in the background, it's been carrying out significant work that hasn't (at least yet) lead to any publicised action. For instance, in the last financial year it carried out over 350 proactive assessments of sanctions, and opened over 600 financial crime supervision cases, which was a huge increase on the previous year. As if that were not scary enough, FCA has warned firms that reducing financial crime is one of its "key super-charged priorities" for the year ahead. So the message to firms must be, as ever, to make sure they are confident they have in place the right, risk-appropriate and proactive systems and controls to fight financial crime and that they keep up to date with all FCA's expectations.

Is that it?

We've used this article to highlight the major legal and regulatory changes that are going to affect various regulated and unregulated businesses in 2024. But there are many more changes that the ECCTA and FSMA 2023 bring in that will impact, for instance, Companies House registrations and beneficial ownership, money laundering reporting thresholds, and the way regulated firms treat politically exposed persons, all of which we're also likely to see action on in the coming year.